One of the first questions businesses ask when they start looking into ISO certification is: how long is this actually going to take? It's a fair question. You need to know whether you're looking at three months or twelve before you can commit resources, plan around audits, or promise anything to a client asking for proof of certification.

The honest answer is: it depends. But that doesn't mean you can't plan. This article breaks down what a realistic timeline looks like, what the main variables are, and what you can do to avoid dragging the process out longer than necessary.

What affects how long certification takes

No two businesses arrive at the starting line in the same place. A company that already has documented processes, a culture of quality, and dedicated staff to lead the project will move significantly faster than one that's starting from scratch with no management systems in place.

The key factors that shape your timeline include:

  • Your current state of readiness — Do you already have documented procedures, risk registers, or quality management processes? Or are you building everything from the ground up?
  • The standard you're pursuing — Some standards are more complex than others. ISO 27001, for example, involves a detailed risk assessment and a lengthy Annex A controls review that simply takes time to do properly.
  • The size of your business — A sole trader or a team of five will move much faster than a 200-person operation with multiple departments and locations.
  • How much internal resource you can commit — If your quality manager is only spending a few hours a week on this alongside everything else, progress will be slow. If someone owns the project properly, it moves faster.
  • Your certification body's availability — Auditors are often booked weeks or months in advance. This is particularly true in Q1 and Q4 when many businesses try to time their audits around the calendar year.

Typical timelines by standard

These are realistic ballpark figures for UK SMEs — not the optimistic estimates you'll see on some consultancy websites.

ISO 9001 (Quality Management)

For a small business with some existing processes documented: 3 to 6 months. For a larger or more complex organisation starting from scratch: 6 to 12 months.

ISO 27001 (Information Security)

This standard has more moving parts. The risk assessment alone can take several weeks to do thoroughly. Expect 6 to 12 months for most SMEs, and up to 18 months for larger organisations or those with complex IT environments.

ISO 14001 (Environmental Management)

Similar in scope to ISO 9001. Most businesses land in the 4 to 9 month range, depending on how significant your environmental impacts are and how much evidence you need to gather.

ISO 45001 (Health and Safety)

Typically 4 to 9 months. Businesses that already have a mature health and safety culture — especially those transitioning from OHSAS 18001 — tend to sit at the lower end.

💡 A note on integrated management systems

If you're pursuing two or more standards at the same time (for example, ISO 9001 and ISO 14001), you don't simply double the timeline. Many elements — such as your management review process, internal audit programme, and document control procedures — overlap significantly. Pursuing them together can actually be more efficient, though it does require more upfront planning.

The four stages of getting certified

Whatever standard you're pursuing, the journey follows a broadly consistent shape.

  1. Gap analysis — You assess where you are now against the requirements of the standard. This tells you what's already in place and what needs to be built. Some businesses do this themselves; others bring in an external consultant. A thorough gap analysis typically takes two to four weeks.
  2. Implementation — This is the bulk of the work. You're writing and documenting your management system, training staff, embedding new processes, and gathering evidence. For most businesses, this phase takes two to eight months depending on complexity.
  3. Internal audit and management review — Before your external audit, you need to run at least one internal audit cycle and hold a formal management review. Many standards require you to have some operational history before your certification audit — typically at least three months. Don't skip this stage or rush it.
  4. Certification audit — This happens in two stages: Stage 1 (a documentation review, usually a few hours) and Stage 2 (the full on-site assessment). These are usually scheduled two to eight weeks apart. If there are no major nonconformities, certification follows shortly after Stage 2.

Common causes of delays

Many businesses take longer than expected — not because the standard is harder than they thought, but because of avoidable problems.

  • Underestimating the documentation workload. Writing procedures, policies, and records takes time. Businesses that assume this can be done in a week or two often hit a wall.
  • No dedicated owner. When certification is everyone's responsibility, it becomes no one's. Projects stall when there's no single person accountable for driving things forward.
  • Waiting too long to book the certification body. Popular certification bodies get busy. If you leave booking until you think you're ready, you may wait months for an audit slot.
  • Rushing the implementation phase. Auditors can tell when a management system has been thrown together quickly. If your records only go back two weeks and your staff have no awareness of the policies they're supposed to follow, expect nonconformities.
  • Senior management disengagement. ISO standards require visible leadership commitment — it's written into the requirements. If senior leaders aren't engaged, it shows up in the audit.
⚠️ Don't book your audit too early

Some businesses book their Stage 2 audit before their management system has had enough time to generate the records and evidence an auditor needs to see. Most certification bodies recommend at least three months of operational history before the Stage 2 audit. Booking too early can result in your audit being postponed or in costly nonconformities that delay certification further.

How to speed up your certification

There's no shortcut that bypasses doing the work properly — but there are things that genuinely accelerate a well-run project.

  • Start with a proper gap analysis. Knowing exactly what you need to do means you're not discovering gaps mid-project. A good gap analysis turns an unknown into a clear plan.
  • Assign a dedicated project lead. Even if it's a part-time responsibility, having one named person accountable makes a measurable difference to pace.
  • Get leadership buy-in early. The management review, resource decisions, and policy approvals all need senior sign-off. When leadership is engaged from the start, these don't become bottlenecks.
  • Book your certification body early. Contact your chosen certification body before you've finished implementation, not after. Discuss your anticipated readiness date and get an audit slot provisionally reserved.
  • Use your internal audit seriously. Don't treat it as a formality. A rigorous internal audit finds the problems before the external auditor does, giving you time to fix them.

"The businesses that get certified fastest aren't the ones who rush — they're the ones who plan properly from the start."

It's also worth being realistic about what your business can absorb. Pushing too hard to hit an aggressive deadline can lead to a superficial management system that passes the initial audit but struggles to hold up at surveillance audits a year later. Certification is the beginning of a continuous improvement journey, not the finish line.

Ready to get started?

Before you can plan a timeline, you need to know where you're starting from. The single most useful thing you can do right now is understand your current level of readiness — honestly, and against the actual requirements of your chosen standard.

ISOKnow's free ISO readiness assessment helps UK businesses do exactly that. In a few minutes, you'll get a clearer picture of how much ground you need to cover and where to focus your effort first. It won't tell you everything is fine when it isn't — it's designed to give you a realistic view so you can plan with confidence.

Take the free assessment at isoknow.co.uk and start your certification journey with a clear plan rather than a guess.